How to properly configure ftp for /var/www/

General Discussion
1

Hello,

I have recently installed dietpi on my raspberry 4. I am a fairly new user to self-hosting, so please bear with me.

I have proftdp for accessing my device and all my web related stuff is in /var/www/… and using apache2 which works fine so far.

Unfortunately, I can not figure out how to properly access my files there via ftp.
The folder and files in /var/www/xyz are owned by www-data:www-data, which means, when I access my device via ftp as the dietpi user, I do not have sufficient rights so create files and folders there, which makes working pretty unpleasing.

How does the “correct” way look like to handle such cases? When I access webspace on paid hosting, the ftp user usually works fine.

I’d be glad about any hint or guide to adjust my setup and make this work.

Kind regards
Andi

2

Hi,

theoretically you could add user dietpi into group www-data. This way you should be able to adjust files inside /var/www/ if the group has write permission.

3

Thanks for your answer! :slight_smile:

Does “theoretically” mean that this is not best practice?

How can I make sure that www-data has write permissions? This group should have them I guess, at least creating files and running some CMS works fine.

I will try adding dietpi to www-data. Does this change come in effect immediately or is a reboot required?

4

simply run following

ls -la /var/www/

It should display the current permission on the web-root folder. I will link some explanation on how permission are working.

Probably following could help on adding user to a group. It should take effect immediately.

5

Thanks for these links.

I can see, that my cms folder has the permissions drwxr-xr-x which means the group is not allowed to write files and folders.
If I need to change this, may this cause any issues? Security or usability related?

6

I tried your suggestion and it works as intended.
Unfortunately, the created files and folders do not belong to www-data but to dietpi and hence can not be modified by apache or php :frowning:

Can I solve this, or am I forced to login as www-data (which sounds wrong in my opinion)?

7

ok I found a better way compare to add user dietpi into group www-data :smiley:

You could create a virtual ftp user having the same permission as user/group www-data. The idea is based on following blog

Simply create a drop-in configuration

nano /etc/proftpd/conf.d/virt_user.conf

and add following

# setup virt user
RequireValidShell off
AuthUserFile /etc/proftpd/ftpd.passwd
#AuthGroupFile /etc/proftpd/ftpd.group
AuthOrder mod_auth_file.c

save the file and add a new user called ftp. Choose a different name if you like.

sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=ftp --uid=33 --gid=33 --home=/var/www --shell=/bin/false

once done, restart the service

systemctl restart proftpd
1 Like
8

This is indeed a very elegant solution. Thanks for you detailed instructions, I will remember this :slight_smile:

I got it working yesterday with some of your hints:

  • I added dietpi user to www-data group
  • set my cms folder permissions to rwxrwx—
  • add the setgid so all newly created files automatically get the www-data group, which works fine for ftp usage.

I do not know whether this is considered bad practice, but I am the only user and ftp is only accessible from my local network and not from the internet, I think this could be okay.